N.S. minister now says advice on handling portal breach from staff, not police

April 13, 2018

By The Canadian Press

HALIFAX — The Nova Scotia government was in damage-control mode Thursday as it modified its assertion that police had asked the Internal Services Department to hold off on releasing information about a security breach involving the province’s freedom-of-information internet portal.

On Wednesday, Internal Services Minister Patricia Arab and Premier Stephen McNeil said they delayed telling the public about the breach on the advice of police. Later in the day, Halifax Regional Police Supt. Jim Perrin denied that assertion, saying “there was no conversation between us and the province about holding off and not telling anybody.”

On Thursday, McNeil and Arab said department staff were in contact with police, but they confirmed it was staff members who recommended the delay.

“I didn’t specifically speak to Halifax Regional Police,” said McNeil. “Our security people who did in that conversation said the longer that they (police) would have to identify that IP address the better it would be. We made the choice, as I said yesterday, they (police) did not tell us not to notify.”

McNeil suggested reporters check back with police.

A reply was provided by police spokeswoman Const. Carol McIsaac.

“During the course of the investigation, it is normal for us to have discussions with complainants to ensure the best possible outcome, understanding it is not up to us to make the final decision on a public communication by the complainant,” she said. “We provided no instruction to hold back information.”

Meanwhile, Halifax police have arrested a 19-year-old man, who is now facing a charge of unauthorized use of a computer.

The government says about 7,000 documents were inappropriately accessed between March 3 and March 5, with about 250 containing highly sensitive personal information such as birthdates, social insurance numbers, addresses and government services’ client information.

The confirmation of the breach came nearly a week after the problem was first noticed by accident, when a provincial employee made a typing error. The portal was shut down April 5.

Arab said credit card information was not accessed in the breach.

She said her department is contacting people who were affected by the breach, and will offer to pay for third-party credit checks.

In an email, a department spokesman said the checks “will be offered to those clients where a level of personal information was disclosed that may cause risk of financial jeopardy. We don’t have an exact number at this time.”

Karla MacFarlane, the Progressive Conservative’s Interim leader, said the government had “created a mess” and were offering explanations that lack credibility.

“We have some mixed messages coming from the police, coming from her (Arab’s) department, coming from the premier. So I’m sure they are all scrambling to . . . make it look like they are all on the same page,” she said. “We clearly know that they are not.”

NDP Leader Gary Burrill said the handling of the situation called into question "the trustworthiness of the government’s word.”

The government has said the documents were accessed through a “vulnerability in its system” and not through a hack. They said someone wrote a script of computer code that allowed them to sequentially access “every document available on the portal.”

Privacy lawyer David Fraser said it’s always prudent to determine the nature of the data involved in any breach before going public with it.

“It can be sensible for them to do that,” Fraser said in an interview. “It’s just curious that we are getting differing accounts on what in fact happened and it sounds like the government is making some attempt to reconcile those accounts.”